ISO/IEC 38500 is the international standard that provides principles and guidance for effective IT governance. It helps governing bodies ensure that the use of information technology supports organisational objectives, delivers value, manages risk, and uses resources responsibly.
ISO/IEC 38500 is not a certifiable standard. It is designed to guide boards, executives, and senior leaders in setting direction and oversight for IT.
What is ISO/IEC 38500?
ISO/IEC 38500 is jointly published by the International Organization for Standardization and the International Electrotechnical Commission.
The standard focuses on governance rather than management. It clarifies how leaders should evaluate, direct, and monitor the use of IT, while leaving day-to-day delivery to management.
What does ISO/IEC 38500 cover?
ISO/IEC 38500 provides a simple, high-level model for governing IT, covering:
- Clear accountability for IT decisions
- Alignment between IT and organisational strategy
- Value creation from IT investments
- Risk management and compliance
- Performance monitoring and transparency
- Responsible use of IT resources
It applies to all forms of IT, including digital platforms, cloud services, data, software, and emerging technologies.
The ISO/IEC 38500 governance model
The standard defines three core governance activities:
Evaluate
Assess current and proposed IT use, strategies, and investments.
Direct
Set policies, priorities, and expectations for how IT should be used.
Monitor
Track performance, conformance, and outcomes against objectives.
This model helps leaders maintain oversight without becoming involved in operational detail.
The six principles of ISO/IEC 38500
ISO/IEC 38500 is built around six governance principles that should guide IT decision-making:
Responsibility
Clear accountability for IT decisions and outcomes.
Strategy
IT supports and enables organisational strategy.
Acquisition
IT investments are justified, transparent, and deliver value.
Performance
IT performs well and meets business requirements.
Conformance
IT complies with legal, regulatory, and internal obligations.
Human behaviour
IT policies and practices respect people and organisational culture.
Together, these principles ensure balanced and responsible use of IT.
Who is ISO/IEC 38500 for?
ISO/IEC 38500 is particularly relevant for:
- Boards and governing bodies
- Chief executives and senior leadership teams
- Non-executive directors
- Public sector and regulated organisations
- Organisations undergoing digital transformation
It is useful wherever leaders need confidence that IT decisions are well governed.
ISO/IEC 38500 vs IT management standards
| ISO/IEC 38500 | IT management standards |
|---|---|
| Governance and oversight | Operational delivery |
| Board and executive focus | Management and teams |
| Principles and guidance | Detailed requirements |
| Not certifiable | Often certifiable |
ISO/IEC 38500 complements standards such as ISO/IEC 20000-1 and ISO/IEC 27001 by setting expectations at leadership level.
How organisations use ISO/IEC 38500 in practice
Organisations commonly use ISO/IEC 38500 to:
- Clarify board-level accountability for IT
- Improve decision-making on digital investment
- Align IT strategy with business objectives
- Strengthen oversight of risk, security, and compliance
- Support assurance and reporting to stakeholders
It is often referenced within governance frameworks, policies, and board charters.
Is ISO/IEC 38500 certification possible?
No. ISO/IEC 38500 cannot be certified.
There are no accredited audits or certificates for this standard. Organisations may state that their IT governance practices are aligned with ISO/IEC 38500 guidance, but this is not the same as certification.
Benefits of using ISO/IEC 38500
Organisations that apply ISO/IEC 38500 effectively often achieve:
- Clearer accountability for IT decisions
- Better alignment between IT and strategy
- Improved value from IT investments
- Stronger oversight of risk and compliance
- Increased confidence at board level
Its value lies in clarity, direction, and assurance, not formal recognition.
Common misunderstandings about ISO/IEC 38500
- “It is an IT management standard” – it focuses on governance
- “It replaces frameworks like ITIL” – it complements them
- “It is only for large organisations” – it is scalable
- “It is too high-level to be useful” – it guides critical decisions
Understanding its role helps organisations apply it effectively.
How ISO/IEC 38500 fits with other ISO standards
ISO/IEC 38500 commonly sits above:
- ISO/IEC 20000-1 (IT service management)
- ISO/IEC 27001 (information security management)
- ISO/IEC 22301 (business continuity management)
- ISO 9001 (quality management systems)
Together, these standards link governance, control, and delivery across IT and the wider organisation.
Next steps
If you want to strengthen IT governance:
- Review board and executive accountability for IT
- Assess current decision-making against ISO/IEC 38500 principles
- Clarify policies for strategy, investment, risk, and performance
- Align IT management standards with governance expectations
ISOcertified.net provides practical guidance on governance-focused ISO standards, including how ISO/IEC 38500 supports effective, responsible oversight of IT in modern organisations.